China considers sweeping regulation of cross-border data transfers
8 May 2017. By Xu Yuan.
China is considering a definition of cross-border data transfers that would subject a wide range of data transmission activities to government regulation.
The country's newly introduced Cybersecurity Law, which will take effect next month, requires all data collected during the operation of networks within China to be stored domestically. Security reviews are required when there is a need to transfer data overseas.
In drafting detailed implementation standards for the law, the government is considering a definition of cross-border data transfers that would cover not only transfers of data across China's borders to other countries or international organizations, but also domestic activities that involve foreign entities.
Such activities would include allowing non-Chinese organizations or individuals to obtain or inquire about data stored on Chinese servers and sending data to servers located within China but controlled by non-Chinese organizations or individuals.
It is understood that the draft definition, together with a series of related standards, is still subject to change and is likely to face strong objections as it make its way into the final version of the standards.
Last month, the country's Internet regulator, the Cyberspace Administration of China, published a set of rules for conducting security reviews of cross-border transfers of personal information and important data. The consultation period ends on May 11.
According to the rules, cross-border data transfers are defined as the provision by network operators of personal information and important data collected and produced during operations within China to institutions, organizations and individuals overseas.
Network operators should voluntarily conduct security reviews before sending any data overseas, and industry regulators will be responsible for such reviews when certain conditions are met, such as when data contains personal information on 500,000 people or more, or amounts to 1,000GB or more.
A review by the regulators will take up to 60 days. Cross-border data transmissions are prohibited in cases involving possible infringements of personal interests and potential risks to national security and the public interest.